Open payu-mpas opened 2 years ago
On 22 Mar 2022, at 21:50, Michal Pasierb @.***> wrote:
I would like to create moddn ACI which allows to move only a subset of objects from source tree based on attributes of objects being moved.
The ACI in question should allow IPA it_support user group to delete-preserve all users except those belonging to admins user group:
dn: dc=my,dc=org changetype: modify add: aci aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org))")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)
doesn't work at all because targetfilter is executed against cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org and not the user object which is modified.
I think the issue is in the target_from line. This is allowing that group to move cn=users itself to deleted users I think.
Could you try:
aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org))")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///uid=*,cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)
Note the addition of the uid=* in target_from.
Is there something I can use to reference the object which is moved or the 389ds does not have such functionality ?
Used version (CentOS 7): 389-ds-base-1.3.10.2-14.el7_9.x86_64
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
I tested with:
aci: (targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///uid=*,cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)
so only users from admins users should be allowed to be deleted but it doesn't work:
acl__ressource_match_aci - entry cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org does not match (memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)
I think targetfilter is always matching against target_to instead of target_from. I think this is not a bug and seems logical but I would like to match against target_from. Possible ?
On 24 Mar 2022, at 01:19, Michal Pasierb @.***> wrote:
I tested with:
aci: (targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///uid=*,cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)
so only users from admins users should be allowed to be deleted but it doesn't work:
acl__ressource_match_aci - entry cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org does not match (memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)
I think targetfilter is always matching against target_to instead of target_from. I think this is not a bug and seems logical but I would like to match against target_from. Possible ?
I'm not sure that checks out, in my mind targetfilter is applied to the "target of the operation" which should be the from entry rather than the to entry. But I think if this is the behaviour, we would need to be careful to change it .....
Does anyone else have any ideas? Thierry?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
@payu-mpas, what specific MODDN are you a trying to do ?
target_from and target_to are basically subtree. Here the ACI grant 'moddn' right to it_support to move entries from cn=users to cn=deleted_users, at the condition that the entry is memberof cn=admins.
Looking at
acl__ressource_match_aci - entry cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org does not match (memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org)
It is looking to me that destination entry (of the MODDN) is cn=deleted_users. Is that correct ? Is it belonging to cn=admins ?
I would like to create moddn ACI which allows to move only a subset of objects from source tree based on attributes of objects being moved.
The ACI in question should allow IPA it_support user group to delete-preserve all users except those belonging to admins user group:
dn: dc=my,dc=org changetype: modify add: aci aci: (targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=my,dc=org))")(target_to = "ldap:///cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org")(target_from = "ldap:///cn=users,cn=accounts,dc=my,dc=org")(version 3.0;acl "IT Support - preserve subset of users";allow (moddn) groupdn = "ldap:///cn=it_support,cn=groups,cn=accounts,dc=my,dc=org";)
doesn't work at all because targetfilter is executed against cn=deleted users,cn=accounts,cn=provisioning,dc=my,dc=org and not the user object which is modified.
Is there something I can use to reference the object which is moved or the 389ds does not have such functionality ?
Used version (CentOS 7): 389-ds-base-1.3.10.2-14.el7_9.x86_64